[Senate Report 116-196]
[From the U.S. Government Publishing Office]
Calendar No. 356
116th Congress } { Report
SENATE
2d Session } { 116-196
======================================================================
PROTECTING RESOURCES ON THE ELECTRIC GRID WITH CYBERSECURITY TECHNOLOGY
ACT OF 2019
_______
January 7, 2020.--Ordered to be printed
_______
Ms. Murkowski, from the Committee on Energy and Natural Resources,
submitted the following
R E P O R T
[To accompany S. 2556]
The Committee on Energy and Natural Resources, to which was
referred the bill (S. 2556) to amend the Federal Power Act to
provide energy cybersecurity investment incentives, to
establish a grant and technical assistance program for
cybersecurity investments, and for other purposes, having
considered the same, reports favorably thereon with an
amendment in the nature of a substitute and recommends that the
bill, as amended, do pass.
Amendment
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting Resources On The Electric
grid with Cybersecurity Technology Act of 2019'' or the ``PROTECT Act
of 2019''.
SEC. 2. INCENTIVES FOR ADVANCED CYBERSECURITY TECHNOLOGY INVESTMENT.
Part II of the Federal Power Act is amended by inserting after
section 219 (16 U.S.C. 824s) the following:
``SEC. 219A. INCENTIVES FOR CYBERSECURITY INVESTMENTS.
``(a) Definitions.--In this section:
``(1) Advanced cybersecurity technology.--The term `advanced
cybersecurity technology' means any technology, operational
capability, or service, including computer hardware, software,
or a related asset, that enhances the security posture of
public utilities through improvements in the ability to protect
against, detect, respond to, or recover from a cybersecurity
threat (as defined in section 102 of the Cybersecurity Act of
2015 (6 U.S.C. 1501)).
``(2) Advanced cybersecurity technology information.--The
term `advanced cybersecurity technology information' means
information relating to advanced cybersecurity technology or
proposed advanced cybersecurity technology that is generated by
or provided to the Commission or another Federal agency.
``(b) Study.--Not later than 180 days after the date of enactment
of this section, the Commission, in consultation with the Secretary of
Energy, the North American Electric Reliability Corporation, the
Electricity Subsector Coordinating Council, and the National
Association of Regulatory Utility Commissioners, shall conduct a study
to identify incentive-based, including performance-based, rate
treatments for the transmission and sale of electric energy subject to
the jurisdiction of the Commission that could be used to encourage--
``(1) investment by public utilities in advanced
cybersecurity technology; and
``(2) participation by public utilities in cybersecurity
threat information sharing programs.
``(c) Incentive-Based Rate Treatment.--Not later than 1 year after
the completion of the study under subsection (b), the Commission shall
establish, by rule, incentive-based, including performance-based, rate
treatments for the transmission of electric energy in interstate
commerce and the sale of electric energy at wholesale in interstate
commerce by public utilities for the purpose of benefitting consumers
by encouraging--
``(1) investments by public utilities in advanced
cybersecurity technology; and
``(2) participation by public utilities in cybersecurity
threat information sharing programs.
``(d) Factors for Consideration.--In issuing a rule pursuant to
this section, the Commission may provide additional incentives beyond
those identified in subsection (c) in any case in which the Commission
determines that an investment in advanced cybersecurity technology or
information sharing program costs will reduce cybersecurity risks to--
``(1) defense critical electric infrastructure (as defined in
section 215A(a)) and other facilities subject to the
jurisdiction of the Commission that are critical to public
safety, national defense, or homeland security, as determined
by the Commission in consultation with--
``(A) the Secretary of Energy; and
``(B) appropriate Federal agencies; and
``(2) facilities of small or medium-sized public utilities
with limited cybersecurity resources, as determined by the
Commission.
``(e) Ratepayer Protection.--
``(1) In general.--Any rate approved under a rule issued
pursuant to this section, including any revisions to that rule,
shall be subject to the requirements of sections 205 and 206
that all rates, charges, terms, and conditions--
``(A) shall be just and reasonable; and
``(B) shall not be unduly discriminatory or
preferential.
``(2) Prohibition of duplicate recovery.--Any rule issued
pursuant to this section shall preclude rate treatments that
allow unjust and unreasonable double recovery for advanced
cybersecurity technology.
``(f) Single-Issue Rate Filings.--The Commission shall permit
public utilities to apply for incentive-based rate treatment under a
rule issued under this section on a single-issue basis by submitting to
the Commission a tariff schedule under section 205 that permits
recovery of costs and incentives over the depreciable life of the
applicable assets, without regard to changes in receipts or other costs
of the public utility.
``(g) Protection of Information.--Advanced cybersecurity technology
information that is provided to, generated by, or collected by the
Federal Government under subsection (b), (c), or (f) shall be
considered to be critical electric infrastructure information under
section 215A.''.
SEC. 3. RURAL AND MUNICIPAL UTILITY ADVANCED CYBERSECURITY GRANT AND
TECHNICAL ASSISTANCE PROGRAM.
(a) Definitions.--In this section:
(1) Advanced cybersecurity technology.--The term ``advanced
cybersecurity technology'' means any technology, operational
capability, or service, including computer hardware, software,
or a related asset, that enhances the security posture of
electric utilities through improvements in the ability to
protect against, detect, respond to, or recover from a
cybersecurity threat (as defined in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501)).
(2) Eligible entity.--The term ``eligible entity'' means--
(A) a rural electric cooperative;
(B) a utility owned by a political subdivision of a
State, such as a municipally owned electric utility;
(C) a utility owned by any agency, authority,
corporation, or instrumentality of 1 or more political
subdivisions of a State;
(D) a not-for-profit entity that is in a partnership
with not fewer than 6 entities described in
subparagraph (A), (B), or (C); and
(E) an investor-owned electric utility that sells
less than 4,000,000 megawatt hours of electricity per
year.
(3) Program.--The term ``Program'' means the Rural and
Municipal Utility Advanced Cybersecurity Grant and Technical
Assistance Program established under subsection (b).
(4) Secretary.--The term ``Secretary'' means the Secretary of
Energy.
(b) Establishment.--Not later than 180 days after the date of
enactment of this Act, the Secretary, in consultation with the Federal
Energy Regulatory Commission, the North American Electric Reliability
Corporation, and the Electricity Subsector Coordinating Council, shall
establish a program, to be known as the ``Rural and Municipal Utility
Advanced Cybersecurity Grant and Technical Assistance Program'', to
provide grants and technical assistance to, and enter into cooperative
agreements with, eligible entities to protect against, detect, respond
to, and recover from cybersecurity threats.
(c) Objectives.--The objectives of the Program shall be--
(1) to deploy advanced cybersecurity technologies for
electric utility systems; and
(2) to increase the participation of eligible entities in
cybersecurity threat information sharing programs.
(d) Awards.--
(1) In general.--The Secretary--
(A) shall award grants and provide technical
assistance under the Program to eligible entities on a
competitive basis;
(B) shall develop criteria and a formula for awarding
grants and providing technical assistance under the
Program;
(C) may enter into cooperative agreements with
eligible entities that can facilitate the objectives
described in subsection (c); and
(D) shall establish a process to ensure that all
eligible entities are informed about and can become
aware of opportunities to receive grants or technical
assistance under the Program.
(2) Priority for grants and technical assistance.--In
awarding grants and providing technical assistance under the
Program, the Secretary shall give priority to an eligible
entity that, as determined by the Secretary--
(A) has limited cybersecurity resources;
(B) owns assets critical to the reliability of the
bulk power system; or
(C) owns defense critical electric infrastructure (as
defined in section 215A(a) of the Federal Power Act (16
U.S.C. 824o-1(a))).
(e) Protection of Information.--Information provided to, or
collected by, the Federal Government under this section--
(1) shall be exempt from disclosure under section 552(b)(3)
of title 5, United States Code; and
(2) shall not be made available by any Federal agency, State,
political subdivision of a State, or Tribal authority under any
applicable law requiring public disclosure of information or
records.
(f) Funding.--There is authorized to be appropriated to carry out
this section $50,000,000 for each of fiscal years 2020 through 2024, to
remain available until expended.
Purpose
The purpose of S. 2556 is to amend the Federal Power Act
(FPA, 16 U.S.C. 791a et seq.) to provide energy cybersecurity
investment incentives and to establish a grant and technical
assistance program for cybersecurity investments by electric
utilities.
Background and Need
The United States electric grid is comprised of a vast
network of transmission and distribution systems that deliver
electricity from producers to consumer homes and businesses.
Many sectors of our economy, including healthcare and
manufacturing, simply cannot operate without a reliable supply
of electricity. As advances in digital and information
technology continue to electrify our daily lives, our exposure
to a potentially devastating cyber or physical attack on the
grid increases.
A number of Federal agencies are responsible for protecting
our electric grid from physical and cyber threats, including
the Department of Energy (DOE) and the Federal Energy
Regulatory Commission (FERC or Commission). DOE works closely
with electric sector owners and operators to detect and
mitigate risks to critical electric infrastructure, and to
develop tools and other resources to assist the sector in
evaluating and improving their security preparedness. Section
61003(c)(2) of the Fixing America's Surface Transportation Act
(Public Law 114-94; 6 U.S.C. 121 note) in 2015, Congress
codified DOE as the Sector-Specific Agency for cybersecurity
for the energy sector.
With respect to FERC, section 1211 of the Energy Policy Act
of 2005 (EPAct '05, Public Law 109-58) added section 215 to the
Federal Power Act, which authorized the Commission to certify
an Electric Reliability Organization to develop mandatory
reliability standards for the electric transmission system,
including physical and cybersecurity standards. The law tasked
FERC with approving and enforcing these mandatory standards--
violations of which can result in penalties of up to $1 million
per violation per day. FERC also approves rates for electric
transmission services by investor-owned utilities. Part of the
costs included in a utility's transmission rates are costs
associated with investments to protect the grid from
cybersecurity threats.
S. 2556 enhances electric grid security by strengthening
the cybersecurity partnership between industry and government
and facilitating the deployment of advanced cybersecurity
technology. Specifically, the bill directs FERC to issue a
rulemaking to incentivize investments in advanced cybersecurity
technology that enhance the security posture of public
utilities regulated by FERC. The rule will make these
incentives available for advanced cybersecurity technology
investments in facilities for the transmission and sale of
electric energy subject to the jurisdiction of the Commission.
With respect to electricity sales, the Commission will have the
discretion to make such incentives available for cost-based
sales, market-based sales, or both. The Commission will ensure
these incentives do not permit duplicate recovery of
investments.
The bill also establishes a grant and technical assistance
program at DOE to deploy advanced cybersecurity technology on
the electric systems of utilities that are not regulated by
FERC, such as cooperatives and municipal utilities, as well as
small investor-owned utilities that sell less than four million
megawatt hours of electricity per year.
Legislative History
S. 2556 was introduced by Senators Murkowski, Manchin,
Risch, Cantwell, and King on September 26, 2019. The
Subcommittee on Energy held a hearing on S. 2556 on November 6,
2019.
The Senate Committee on Energy and Natural Resources met in
open business session on November 19, 2019, and ordered S. 2556
favorably reported, as amended.
Committee Recommendation
The Senate Committee on Energy and Natural Resources, in
open business session on November 19, 2019, by a majority voice
vote of a quorum present, recommends that the Senate pass S.
2556, if amended as described herein. Senator Lee asked to be
recorded as voting no.
Committee Amendment
During its consideration of S. 2556, the Committee adopted
an amendment in the nature of a substitute.
The substitute amendment provides that incentives for
investments in advanced cybersecurity technology will be made
available by FERC to rates for both the transmission and sale
of electric energy under its jurisdiction. As introduced, S.
2556, the PROTECT Act, limited such incentives to transmission
rates. With respect to rates for electricity sales, the
Commission will have the discretion to make such incentives
available for cost-based sales, market-based sales, or both.
The Commission will ensure these incentives do not permit
duplicate recovery of investments.
The substitute amendment also expands the eligibility for
the Rural and Municipal Utility Advanced Cybersecurity Grant
and Technical Assistance Program under section 3 to investor-
owned electric utilities that sell less than four million
megawatt hours of electricity per year.
Section-by-Section Analysis
Section 1. Short title
Section 1 sets forth the short title of the bill.
Section 2. Incentives for Advanced Cybersecurity Technology Investment
Section 2 amends the FPA by adding a new section 219A,
titled ``Incentives For Cybersecurity Investments.''
The new section 219A(a) defines relevant terms.
The new section 219A(b) directs FERC, in consultation with
the Secretary of Energy (Secretary), the North American
Electric Reliability Corporation (NERC), the Electricity
Subsector Coordinating Council (ESCC), and the National
Association of Regulatory Utility Commissioners to conduct a
study to identify incentive-based rate treatments that could be
used to encourage investments in advanced cybersecurity
technology or participation in cybersecurity threat information
sharing programs.
The new section 219A(c) directs FERC to establish
incentive-based rates to encourage investments in advanced
cybersecurity technology and participation in cybersecurity
threat information sharing programs.
The new section 219A(d) authorizes FERC to provide greater
incentives for any investments in advanced cybersecurity
technology that would reduce cybersecurity risks to defense
critical electric infrastructure or facilities of small or
medium-sized utilities with limited cybersecurity resources.
The new section 219A(e) provides that all rates established
under section 219A shall be subject to the ratepayer protection
requirements of sections 205 and 206 of the FPA. It also
prohibits public utilities from receiving double recovery of
investments in advanced cybersecurity technology.
The new section 219A(f) specifies that a public utility may
apply for incentive-based rate treatment under this section on
a single-issue basis rather than requiring a full examination
of a utility's rates normally required by section 205 of the
FPA.
The new section 219A(g) states that any information
concerning advanced cybersecurity technology that is provided
to, generated by, or collected by the Federal Government under
this section will be considered critical electric
infrastructure information under the FPA.
Section 3. Rural and Municipal Utility Advanced Cybersecurity Grant and
Technical Assistance Program
Section 3(a) defines relevant terms.
Subsection (b) directs the Secretary, in consultation with
FERC, NERC, and the ESCC to establish a program to provide
grants and technical assistance to eligible entities to protect
against, detect, respond to, and recover from cybersecurity
threats.
Subsection (c) states that the program's objectives are to
deploy advanced cybersecurity technology for electric utility
systems and to increase the participation in cybersecurity
threat information sharing programs.
Subsection (d) directs the Secretary to award grants and
provide technical assistance on a competitive basis, develop
criteria for grant and technical assistance applications, and
ensure that all eligible entities are informed about
opportunities to receive grants or technical assistance. The
subsection also provides that priority for the grants and
technical assistance will be given to eligible entities with
limited cybersecurity resources and those that own defense
critical electric infrastructure or other assets critical to
grid reliability.
Subsection (e) provides that information provided to, or
collected by, the Federal Government under the program shall be
exempt from public disclosure.
Subsection (f) authorizes $50 million for each of fiscal
years 2020 through 2024 to carry out this section.
Cost and Budgetary Considerations
The Congressional Budget Office estimate of the costs of
this measure has been requested but was not received at the
time the report was filed. When the Congressional Budget Office
completes its cost estimate, it will be posted on the internet
at www.cbo.gov.
Regulatory Impact Evaluation
In compliance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee makes the following
evaluation of the regulatory impact which would be incurred in
carrying out S. 2556. The bill is not a regulatory measure in
the sense of imposing Government-established standards or
significant economic responsibilities on private individuals
and businesses.
No personal information would be collected in administering
the program. Therefore, there would be no impact on personal
privacy.
Little, if any, additional paperwork would result from the
enactment of S. 2556, as ordered reported.
Congressionally Directed Spending
S. 2556, as ordered reported, does not contain any
congressionally directed spending items, limited tax benefits,
or limited tariff benefits as defined in rule XLIV of the
Standing Rules of the Senate.
Executive Communications
The testimony provided by the Department of Energy at the
November 6, 2019, hearing on S. 2556 follows:
Testimony of Assistant Secretary Daniel Simmons Office of Energy
Efficiency and Renewable Energy U.S. Department of Energy Before the
Committee on Energy and Natural Resources Subcommittee on Energy United
States Senate November 6, 2019
introduction
Chairman Cassidy, Ranking Member Heinrich, and Members of
the Energy Subcommittee of the Committee on Energy and Natural
Resources, thank you for the opportunity to testify today on
legislation pertinent to the Department of Energy now pending
in the Senate. My name is Daniel Simmons, and I am the
Assistant Secretary for the Office of Energy Efficiency and
Renewable Energy (EERE).
As the Assistant Secretary, I am responsible for overseeing
a broad portfolio of energy efficiency and renewable energy
programs. The technologies in my portfolio advance America's
economic growth and energy security while enhancing the
reliability and resilience of the U.S. energy system. The
Department of Energy supports improving the energy efficiency
and reducing energy costs, while at the same time ensuring
important performance standards are met or exceeded. For
instance, we want to ensure schools and other buildings are
sufficiently bright to ensure safety, and that water flow from
faucets is strong enough to clean dirty hands. Today, I would
like to share what relevant work my office has done and is
doing in the areas that these bills address.
I have been asked to testify on eleven (11) bills today,
addressing a range of important energy issues. The
Administration continues to review all of these bills. I
appreciate the ongoing bipartisan efforts to address our
Nation's energy challenges and I look forward to working with
the Committee.
bills
S. 2556--Protecting Resources On The Electric grid with Cybersecurity
Technology (PROTECT) Act
S. 2556, or the PROTECT Act, amends the Federal Power Act
to provide energy cybersecurity investment incentives, to
establish a grant and technical assistance program for
cybersecurity investments. The bill directs FERC to issue a
rulemaking on rate incentives for advanced cybersecurity
technology, which will enable and incentivize utilities to
invest in new technologies that improve their cybersecurity
defenses. It also establishes a DOE grant program for utilities
that are not regulated by FERC to deploy advanced cybersecurity
technology, such as electric cooperatives and municipal
utilities.
The Department will continue to review the legislation and
looks forward to working with Congress as the legislative
process moves forward.
conclusion
Thank you again for the opportunity to testify before the
Subcommittee today. The Department appreciates the ongoing
bipartisan efforts to address our Nation's energy challenges,
and looks forward to working with the Committee on the
legislation on today's agenda and any future legislation. I
would be happy to answer your questions.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the changes in existing law made
by S. 2556, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):
FEDERAL POWER ACT
The Act of June 10, 1920, Chapter 285, as Amended
* * * * * * *
PART II--REGULATION OF ELECTRIC UTILITY COMPANIES ENGAGED IN INTERSTATE
COMMERCE
* * * * * * *
SEC. 219. TRANSMISSION INFRASTRUCTURE INVESTMENT.
(a) Rulemaking Requirement.--Not later than 1 year after
the date of enactment of this section, the Commission shall
establish, by rule, incentive-based (including performance-
based) rate treatments for the transmission of electric energy
in interstate commerce by public utilities for the purpose of
benefitting consumers by ensuring reliability and reducing the
cost of delivered power by reducing transmission congestion.
(b) Contents.--The rule shall--
(1) promote reliable and economically efficient
transmission and generation of electricity by promoting
capital investment in the enlargement, improvement,
maintenance, and operation of all facilities for the
transmission of electric energy in interstate commerce,
regardless of the ownership of the facilities;
(2) provide a return on equity that attracts new
investment in transmission facilities (including
related transmission technologies);
(3) encourage deployment of transmission technologies
and other measures to increase the capacity and
efficiency of existing transmission facilities and
improve the operation of the facilities; and
(4) allow recovery of--
(A) all prudently incurred costs necessary to
comply with mandatory reliability standards
issued pursuant to section 215; and
(B) all prudently incurred costs related to
transmission infrastructure development
pursuant to section 216.
(c) Incentives.--In the rule issued under this section, the
Commission shall, to the extent within its jurisdiction,
provide for incentives to each transmitting utility or electric
utility that joins a Transmission Organization. The Commission
shall ensure that any costs recoverable pursuant to this
subsection may be recovered by such utility through the
transmission rates charged by such utility or through the
transmission rates charged by the Transmission Organization
that provides transmission service to such utility.
(d) Just and Reasonable Rates.--All rates approved under
the rules adopted pursuant to this section, including any
revisions to the rules, are subject to the requirements of
sections 205 and 206 that all rates, charges, terms, and
conditions be just and reasonable and not unduly discriminatory
or preferential.
SEC. 219A. INCENTIVES FOR CYBERSECURITY INVESTMENTS.
(a) Definitions.--In this section:
(1) Advanced cybersecurity technology.--The term
`advanced cybersecurity technology' means any
technology, operational capability, or service,
including computer hardware, software, or a related
asset, that enhances the security posture of public
utilities through improvements in the ability to
protect against, detect, respond to, or recover from a
cybersecurity threat (as defined in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501)).
(2) Advanced cybersecurity technology information.--
The term `advanced cybersecurity technology
information' means information relating to advanced
cybersecurity technology or proposed advanced
cybersecurity technology that is generated by or
provided to the Commission or another Federal agency.
(b) Study.--Not later than 180 days after the date of
enactment of this section, the Commission, in consultation with
the Secretary of Energy, the North American Electric
Reliability Corporation, the Electricity Subsector Coordinating
Council, and the National Association of Regulatory Utility
Commissioners, shall conduct a study to identify incentive-
based, including performance-based, rate treatments for the
transmission and sale of electric energy subject to the
jurisdiction of the Commission that could be used to
encourage--
(1) investment by public utilities in advanced
cybersecurity technology; and
(2) participation by public utilities in
cybersecurity threat information sharing programs.
(c) Incentive Based Rate Treatment.--Not later than 1 year
after the completion of the study under subsection (b), the
Commission shall establish, by rule, incentive-based, including
performance-based, rate treatments for the transmission of
electric energy in interstate commerce and the sale of electric
energy at wholesale in interstate commerce by public utilities
for the purpose of benefitting consumers by encouraging--
(1) investments by public utilities in advanced
cybersecurity technology; and
(2) participation by public utilities in
cybersecurity threat information sharing programs.
(d) Factors for Consideration.--In issuing a rule pursuant
to this section, the Commission may provide additional
incentives beyond those identified in subsection (c) in any
case in which the Commission determines that an investment in
advanced cybersecurity technology or information sharing
program costs will reduce cybersecurity risks to--
(1) defense critical electric infrastructure (as
defined in section 215A(a)) and other facilities
subject to the jurisdiction of the Commission that are
critical to public safety, national defense, or
homeland security, as determined by the Commission in
consultation with--
(A) the Secretary of Energy; and
(B) appropriate Federal agencies; and
(2) facilities of small or medium-sized public
utilities with limited cybersecurity resources, as
determined by the Commission.
(e) Ratepayer Protection.--
(1) In general.--Any rate approved under a rule
issued pursuant to this section, including any
revisions to that rule, shall be subject to the
requirements of sections 205 and 206 that all rates,
charges, terms, and conditions--
(A) shall be just and reasonable; and
(B) shall not be unduly discriminatory or
preferential.
(2) Prohibition of duplicate recovery.--Any rule
issued pursuant to this section shall preclude rate
treatments that allow unjust and unreasonable double
recovery for advanced cybersecurity technology.
(f) Single-Issue Rate Filings.--The Commission shall permit
public utilities to apply for incentive-based rate treatment
under a rule issued under this section on a single-issue basis
by submitting to the Commission a tariff schedule under section
205 that permits recovery of costs and incentives over the
depreciable life of the applicable assets, without regard to
changes in receipts or other costs of the public utility.
(g) Protection of Information.--Advanced cybersecurity
technology information that is provided to, generated by, or
collected by the Federal Government under subsection (b), (c),
or (f) shall be considered to be critical electric
infrastructure information under section 215A.
* * * * * * *